UNODC Report: The Use of the Internet for Terrorist Purposes

UNITED NATIONS OFFICE ON DRUGS AND CRIME THE USE OF THE INTERNET FOR TERRORIST PURPOSES

158 pages

September 2012

Technology is one of the strategic factors driving the increasing use of the Internet by terrorist organizations and their supporters for a wide range of purposes, including recruitment, financing, propaganda, training, incitement to commit acts of terrorism, and the gathering and dissemination of information for terrorist purposes. While the many benefits of the Internet are self-evident, it may also be used to facilitate communication within terrorist organizations and to transmit information on, as well as material support for, planned acts of terrorism, all of which require specific technical knowledge for the effective investigation of these offences.

It is a commonly accepted principle that, despite the heinous nature of their acts, alleged terrorists should be afforded the same procedural safeguards under criminal law as any other suspects. The defence of human rights is a core value of the United Nations and a fundamental pillar of the rule-of-law approach to the fight against terrorism. The present publication accordingly highlights the importance of respect for the principles of human rights and fundamental freedoms at all times and, in particular, in the context of the development and implementation of legal instruments related to countering terrorism.

…

7. The Internet may be used not only as a means to publish extremist rhetoric and videos, but also a way to develop relationships with, and solicit support from, those most responsive to targeted propaganda. Terrorist organizations increasingly use propaganda distributed via platforms such as password-protected websites and restricted-access Internet chat groups as a means of clandestine recruitment. The reach of the Internet provides terrorist organizations and sympathizers with a global pool of potential recruits. Restricted access cyberforums offer a venue for recruits to learn about, and provide support to, terrorist organizations and to engage in direct actions in the furtherance of terrorist objectives. The use of technological barriers to entry to recruitment platforms also increases the complexity of tracking terrorism-related activity by intelligence and law enforcement personnel.

…

15. Online payment facilities may also be exploited through fraudulent means such as identity theft, credit card theft, wire fraud, stock fraud, intellectual property crimes and auction fraud. An example of the use of illicit gains to finance acts of terrorism can be seen in the United Kingdom case against Younis Tsouli (see para. 114 below). Profits from stolen credit cards were laundered by several means, including transfer through e-gold online payment accounts, which were used to route the funds through several countries before they reached their intended destination. The laundered money was used both to fund the registration by Tsouli of 180 websites hosting Al-Qaida propaganda videos and to provide equipment for terrorist activities in several countries. Approximately 1,400 credit cards were used to generate approximately £1.6 million of illicit funds to finance terrorist activity.

…

17. In recent years, terrorist organizations have increasingly turned to the Internet as an alternative training ground for terrorists. There is a growing range of media that provide platforms for the dissemination of practical guides in the form of online manuals, audio and video clips, information and advice. These Internet platforms also provide detailed instructions, often in easily accessible multimedia format and multiple languages, on topics such as how to join terrorist organizations; how to construct explosives, firearms or other weapons or hazardous materials; and how to plan and execute terrorist attacks. The platforms act as a virtual training camp. They are also used to share, inter alia, specific methods, techniques or operational knowledge for the purpose of committing an act of terrorism.

18. For example, Inspire is an online magazine allegedly published by Al-Qaida in the Arabian Peninsula with the stated objective of enabling Muslims to train for jihad at home. It contains a large amount of ideological material aimed at encouraging terrorism, including statements attributed to Osama Bin Laden, Sheikh Ayman al-Zawahiri and other well-known Al-Qaida figures. The fall 2010 edition included practical instructional material on how to adapt a four-wheel-drive vehicle to carry out an attack on members of the public and how a lone individual could launch an indiscriminate attack by shooting a gun from a tower. The publication even suggested a target city for such an attack, in order to increase the chances of killing a member of the Government.

…

1. Systematic approach to investigations involving the Internet

202. There is a vast range of data and services available via the Internet which may be employed in an investigation to counter terrorist use of the Internet. A proactive approach to investigative strategies and supporting specialist tools, which capitalizes on evolving Internet resources, promotes the efficient identification of data and services likely to yield the maximum benefit to an investigation. In recognition of the need for a systematic approach to using technological developments relating to the Internet for investigative purposes, the Raggruppamento Operativo Speciale of the Carabinieri of Italy developed the following guidelines, which have been disseminated through the University College Dublin, master’s programme in forensic computing and cybercrime (see section IV.G below) and implemented by domestic enforcement authorities of many member States of the International Criminal Police Organization (INTERPOL) and the European Police Office (Europol):

Protocol of a systematic approach

Data collection: This phase involves the collection of data through traditional investigative methods, such as information relating to the suspect, any co-inhabitants, relevant co-workers or other associates and information compiled through conventional monitoring activities of channels of communication, including in relation to fixed-line and mobile telephone usage.

Research for additional information available via Internet-based services: This phase involves requests to obtain information collected and stored in the databases of webbased e-commerce, communications and networking services, such as eBay, PayPal, Google and Facebook, as well as using dedicated search engines such as www.123people.com. Data collected by these services through commonly used Internet “cookies” also provide key information regarding multiple users of a single computer or mobile device.

The activities in phases (a) and (b) above provide information that may be combined and cross-referenced to build a profile of the individual or group under investigation and made available for analysis during later stages of the investigation.

VoIP server requests: In this phase, law enforcement authorities request information from VoIP service providers relating to the persons under investigation and any known affiliates or users of the same networking devices. The information collected in this phase may also be used as a form of “smart filter” for the purposes of verifying the information obtained in the two prior phases.

Analysis: The large volume of data obtained from VoIP servers and the providers of various Internet services are then analysed to identify information and trends useful for investigative purposes. This analysis may be facilitated by computer programs, which may filter information or provide graphic representations of the digital data collected to highlight, inter alia, trends, chronology, the existence of an organized group or hierarchy, the geolocation of members of such group, or factors common among multiple users, such as a common source of financing.

Identification of subjects of interest: In this phase, following smart analysis of the data, it is common to identify subjects of interest based, for example, on subscriber information linked to a financial, VoIP or e-mail account.

Interception activity: In this phase, law enforcement authorities employ interception tactics similar to those used for traditional communication channels, shifting them to a different platform: digital communication channels. Interception activity may be undertaken in connection with telecommunications services, such as fixed-line broadband, mobile broadband and wireless communications, as well as with regard to services provided by ISPs, such as e-mail, chat and forum communication services. In particular, in recent years experience has revealed vulnerabilities in new communications technologies which may be exploited for investigative or intelligence-gathering purposes. Due care should be taken with respect to ensuring the forensic integrity of the data being gathered and the corroboration, to the extent possible, of any intelligence gathered with objective identifiers such as GPS coordinates, time stamps or video surveillance.

Where permitted by domestic law, some law enforcement authorities may also employ digital monitoring techniques facilitated by the installation of computer hardware or applications such as a virus, a “Trojan Horse” or a keystroke logger on the computer of the person under investigation. This may be achieved through direct or remote access to the relevant computer, taking into consideration the technical profile of the hardware to be compromised (such as the presence of antivirus protections or firewalls) and the personal profile of all users of the device, targeting the least sophisticated user profile.

…

428. Public-private partnerships specifically targeting terrorist use of the Internet could also provide a means to promote clear guidelines regarding information-sharing between the private and public sector, consistent with applicable data protection regulations. A good basis for information-sharing guidelines is provided by the Council of Europe “Guidelines for the cooperation between law enforcement and Internet service providers against cybercrime”. The focus of these guidelines is the establishment of relationships of mutual trust and cooperation between public and private sector stakeholders as a foundation for cooperation. The guidelines also emphasize the need to promote efficient and cost-effective cooperation procedures. Law enforcement authorities and Internet service providers are encouraged to engage in information exchange to strengthen their capacity to identify and combat cybercrime through regular meetings and the sharing of good practices and feedback. The guidelines also encourage the establishment of formal partnerships and written procedures as a basis for longer-term relationships, to ensure, inter alia, that appropriate protections are provided that the partnership will not infringe upon the legal rights of industry participants or the legal powers of law enforcement authorities.

429. Recommended measures to be taken by law enforcement authorities pursuant to the guidelines include:

Engaging in broad strategic cooperation with ISPs, including by conducting regular technical and legal training seminars, as well as providing feedback on investigations conducted or intelligence gathered, based on ISP-initiated reports/complaints

Providing explanations and assistance to ISPs regarding investigation techniques not directly related to the case at hand, in order to facilitate an understanding of how ISP cooperation will result in more efficient investigations

Prioritizing requests for large volumes of data while avoiding unnecessary cost and disruption of business operations.

430. Recommended measures to be taken by Internet Service providers pursuant to the guidelines include:

Cooperating to minimize the use of services for illegal purposes

Reporting criminal activity to law enforcement authorities

When possible, providing a list, upon request, of which types of data could be made available for each service to law enforcement, upon receipt of a valid disclosure request.

431. Public-private partnerships may also provide a forum to promote minimum standards for the secure retention of data by private sector stakeholders and enhance the channels of communication for the provision of information by private sector stakeholders regarding suspicious activities.

Contribute Documents and Information

How to Contribute

Public Intelligence uses the SecureDrop document submission system developed and maintained by the Freedom of the Press Foundation to accept documents and securely communicate with anonymous sources.
For maximum privacy, please consider making your contribution while using a network that is not associated with yourself or your employer.
Download and install the Tor Browser Bundle from the Tor Project website at https://www.torproject.org.
Open the Tor Browser and enter the following URL:

arujlhu2zjjhc3bw.onion

Follow the instructions to contribute documents and information. You will be given a codename consisting of several random words. You can return to the SecureDrop site at a later date and enter this codename to see if we have responded to your submission. You can also respond to our questions or comments and provide more information if necessary.
For your own security, please consider the ramifications of discussing your contribution with anyone else.
For added security and privacy, consider using the Tails operating system to contribute. If you are knowledgeable about security software, consider encrypting your submission with our public PGP key prior to submission.
For more information on how SecureDrop works and how to use it as a source, see the official documentation maintained by the Freedom of the Press Foundation.

Security and Privacy Information

SecureDrop is accessed exclusively through a Tor "hidden service" that is designed to conceal your identity and location from us while allowing for secure connection utilizing end-to-end encryption. SecureDrop does not record your IP address, browser configuration, operating system or and will not utilize persistent cookies to track your activities.
Our SecureDrop servers are operated and maintained under the direct physical control of Public Intelligence.
We will retrieve your contribution and decrypt it on a computer that has never been connected to the internet with no hard drive installed or wireless communications interfaces.
Please remember that while we have made every effort to provide a secure platform for contributing information to this site, we cannot guarantee your privacy or security and make no representations about the service. Ultimately, your security and privacy is your own responsibility.